Basic iptables configuration
Here is a small basic example allowing you to setup your iptables.
First we reset everything. See the man page for exact details on the parameters we use.
iptables -F iptables -Z iptables -X |
Create some chains that will provide us with some logging.
iptables -N logdrop iptables -N logreject iptables -N logaccept |
Add some rules to these chains.
iptables -A logdrop -j LOG --log-prefix 'DROP: ' --log-level warning iptables -A logdrop -j DROP iptables -A logreject -j LOG --log-prefix 'REJECT: ' --log-level warning iptables -A logreject -j REJECT iptables -A logaccept -j LOG --log-prefix 'ACCEPT: ' --log-level warning iptables -A logaccept -j ACCEPT |
Now you have a basic setup with some logging.
The next step will be to apply your rules and jump to the corresponding chain on a positive match.
You could set the default policies for the INPUT, FORWARD and OUTPUT chains to ACCEPT and add a jump to logdrop at the end of each chain so that any non-matching rules will be automatically dropped.
Small example:
# Accept loopback traffic iptables -A INPUT -i lo -j ACCEPT # Accept traffic from established connections iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Accept new SSH connections iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j logaccept -m comment --comment "Allow SSH" # Accept new SSL connections iptables -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j logaccept -m comment --comment "Allow SSL" # Accept new HTTP connections iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j logaccept -m comment --comment "Allow HTTP" # Drop and log everything else incoming iptables -A INPUT -j logdrop iptables -A FORWARD -j logreject |
You could then add a small piece of configuration to rsyslog to split these files out into separate log files: /etc/rsyslog.d/iptables.conf
:msg,contains,"ACCEPT: " /var/log/iptables-accept.log :msg,contains,"REJECT: " /var/log/iptables-reject.log :msg,contains,"DROP: " /var/log/iptables-drop.log |
Good article, thanks!